When you configure your Microsoft Advanced Threat Analytics (ATA) to send log data to USM Appliance, you can use the Microsoft-ata plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin.
Device | Details |
---|---|
Vendor | Microsoft |
Device Type | Threat Analytics |
Connection Type | Syslog |
Data Source Name | microsoft-ata |
Data Source ID | 1850 |
Integrating Microsoft Advanced Threat Analytics (ATA)
To configure Microsoft ATA to send Syslog messages to USM Appliance
- On the ATA Center server, click the Microsoft Advanced Threat Analytics Management icon on the desktop and log in.
- Select the Settings option on the toolbar and choose Configuration.
- Under the Configure syslog notifications section, select Syslog server and fill out the fields
- Syslog server endpoint — enter the IP of USM Appliance and port 514 if you're using UDP, or 601 if you're using TCP.
- Transport — select UDP, TCP, or TLS
- Format — select RFC 3164
- Click Save.
Plugin Enablement
For plugin enablement information, see Enable Plugins.
Additional Resources and Troubleshooting
https://docs.microsoft.com/en-us/advanced-threat-analytics/setting-syslog-email-server-settings
For troubleshooting, refer to the vendor documentation:
https://docs.microsoft.com/en-us/advanced-threat-analytics/troubleshooting-ata-using-logs